Primary

Context

WebAssembly Wabt Out-of-Bounds Read Vulnerability in Wasm-Decompile Component

Vulnerability

A vulnerability allowing out-of-bounds read has been identified in WebAssembly Wabt versions through 1.0.39. This issue arises in the wasm-decompile tool, specifically within the function wabt::Decompiler::VarName. The vulnerability leads to a segmentation fault by accessing memory at an invalid address, which can be exploited locally. The problem was reproduced in a release build with AddressSanitizer enabled, indicating a potential wild pointer dereference when the decompiler processes variable names in a malformed WebAssembly binary.

Impact

Exploitation of this vulnerability causes a segmentation fault, leading to a crash of the wasm-decompile tool.

Reproduction

The vulnerability can be reproduced by compiling Wabt with Clang in release mode, with AddressSanitizer enabled. After compiling, the wasm-decompile tool can be run with a crafted WebAssembly binary that triggers the out-of-bounds read, causing a segmentation fault.

Added: Jan 1, 2026, 9:18 PM

Updated: Jan 1, 2026, 9:18 PM

Vulnerability Rating

Custom Algorithm

spread

2.4

impact

2.5

exploitability

6.0

remediation

0.0

relevance

1.8

threat

6.4

urgency

2.9

incentive

0.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

2.4

impact

2.5

exploitability

6.0

remediation

0.0

relevance

1.8

threat

6.4

urgency

2.9

incentive

0.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

WebAssembly Wabt Out-of-Bounds Read Vulnerability in Wasm-Decompile Component

Vulnerability

Impact

Reproduction

Affected Products

WebAssembly wabt

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating